Faked states attack using detector efficiency mismatch on SARG04, phase-time, 

DPSK, and Ekert protocols 
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In quantum cryptosystems, variations in detector efficiency can be exploited to stage a successful 
attack. This happens when the efficiencies of Bob's two detectors are different functions of a control 
parameter accessible to Eve (e.g., timing of the incoming pulses). It has previously been shown that 
the Bennett-Brassard 1984 (BB84) protocol is vulnerable to this attack. In this paper, we show that 
several other protocols and encodings may also be vulnerable. We consider a faked states attack 
in the case of a partial efficiency mismatch on the Scarani-Acin-Ribordy-Gisin 2004 (SARG04) 
protocol, and derive the quantum bit error rate as a function of detector efficiencies. Additionally, 
it is shown how faked states can in principle be constructed for quantum cryptosystems that use a 
phase-time encoding, the differential phase shift keying (DPSK) and the Ekert protocols. 

PACS numbers: 03.67.Dd 

Keywords: quantum cryptography, quantum cryptanalysis, single photon counting, single photon detectors 



I. INTRODUCTION 

Quantum key distribution (QKD) is a technique that 
allows remote parties to grow shared secret random key 
at a steady rate, given an insecure optical communica- 
tion channel and an initially authenticated classical com- 
munication channel between them [TJ [2] . Since the first 
experimental demonstration eighteen years ago [1], QKD 
systems have developed to commercial devices working 
over tens of kilometers of optical fiber [3] , as well as ex- 
periments over more than a hundred kilometers of fiber 
H E E H HI IS], 23 km and 144 km of free space 
PHI [TTJ E21- Although the security of QKD has been 
unconditionally proven for a model of equipment that 
includes certain non-idealities [13] [HI [TSJ HSJ [17], not 
all real properties of optical and electrooptical compo- 
nents have been included into the proof. Identifying 
the properties of components potentially dangerous for 
security and integrating them into the proof (or clos- 
ing the issue in some other way) is an ongoing work 

[Tunni uni nn 

In this paper, we continue to analyse a common im- 
perfection of Bob's single photon detectors: variation of 
their efficiency that can be controlled by Eve via a choice 
of an external parameter. It has been shown in Refs. EH 
and [5H that even smallest variations of one detector effi- 
ciency relative to the other detector reduce the amount 
of secret information theoretically available to Alice and 
Bob in the case of the BB84 protocol. The amount of 
key compression during the privacy amplification must 
be adjusted based on an evaluation of the worst-case ef- 
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ficiency mismatch of Bob's detectors. We recap these 
results in Sec. [TT] In the following sections, we consider 
other protocols and encodings: 
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SARG04 in Sec. 
class of schemes using the phase-time encoding and the 
DPSK protocol in Sec. |IV| and the Ekert protocol with a 
source of entangled photons in Sec.|V] It is shown how to 
construct a faked states attack [20 against these proto- 
cols and encodings. For the SARG04, the upper bound 
on available secret key information is estimated, through 
calculating the quantum bit error rate (QBER) caused 
by this attack in the case of a partial efficiency mis- 
match. For the other protocols, we consider the case 
of a total efficiency mismatch only and make no quanti- 
tative estimates. Although the case of the total efficiency 
mismatch can occur in practice |21j . usually detectors in 
a QKD system will merely have some partial efficiency 
mismatch. This work is thus the first step in analysing 
detector efficiency mismatch in these protocols. 



II. BB84 PROTOCOL 

Variation of efficiency is a common and, indeed, un- 
avoidable imperfection of single photon detectors. The 
efficiency may depend on the timing of incoming light 
pulse (e.g., in gated detectors based on avalanche pho- 
todiodes), wavelength of incoming light (e.g., in up- 
conversion detectors [25l [26j [27]), polarization and 
other parameters conceivably controllable by Eve. In 
QKD schemes that employ two detectors (or a time- 
multiplexed detector), the variation will be different be- 
tween the detectors (or detection windows), allowing Eve 
to control the relative probability of one detection out- 
come over the other. 

To illustrate how she can use this to construct a sue- 
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cessful attack on the BB84 protocol jT], we assume at 
first that the efficiency mismatch for some values of the 
control parameter is so large that Eve can practically 
blind cither detector while the other remains sensitive. 
This situation is called a total efficiency mismatch. We 
call the value of the control parameter that blinds the 1 
detector to, and the value that blinds the detector t\. 

Eve then proceeds with an intercept-resend attack: she 
uses a replica of Bob's setup to detect every Alice's state, 
and resends certain states of light to Bob. It is well known 
that a straightforward intercept-resend attack, in which 
Eve resends quantum states that simply repeat her detec- 
tion results (bit value and basis) , is doomed to fail. This 
is because Eve does not know Alice's basis, will thus de- 
tect half of Alice's qubits in a wrong basis, and cause 
25% errors in Bob's key. However, our intercept-resend 
attack has an important twist: Eve sends states of light 
that only get detected by Bob when he chooses the same 
basis as Eve, otherwise they cause no click in Bob's detec- 
tors (we'll explain in a moment how Eve achieves this). 
In such a case, all Eve's detections in a wrong basis be- 
long to the qubits detected by Bob in the same wrong 
basis, and are discarded by Alice and Bob during sifting. 
What remain after sifting are those bits which have been 
sent by Alice, detected by Eve and detected by Bob in 
the same basis for all three parties. This key is error- free, 
and Eve knows every bit of it. 

The intercept-resend attack "with a twist" described 
above is a faked states attack, and the specially formed 
light states Eve resends to Bob are called faked states 
[20] . The faked state Eve resends in our case would be 
a state normally used in the protocol but with the op- 
posite bit value in the opposite basis comparing to what 
she has detected. At the same time, in the faked state 
Eve sets the value of the control parameter that blinds 
the detector for the opposite bit value from what she has 
detected. For example, suppose Eve has detected the 
bit value in the X basis. She resends the 1 bit in the 
Z basis, with the control parameter to. If Bob tries to 
detect this faked state in the Z basis, he never detects 
anything, for his 1 detector is blinded by Eve's choice of 
the control parameter. If he tries to detect in the X ba- 
sis, he with equal probability doesn't detect anything or 
detects the bit. The reader may notice that the attack 
reduces the detection probability at Bob, but this can be 
compensated by a proportionally increased brightness of 
the faked states. Thus, in the case of the total efficiency 
mismatch, Eve can run a faked states attack that causes 
zero QBER and gives her full information on the key [2T] . 

In the case of a partial efficiency mismatch, when either 
detector cannot be completely blinded, this attack causes 
some non-zero QBER. Eve can pick the values of the 
control parameter to minimize the ratios %(^i)/ ? 7i(^i) 
and 771 (to) / 'vo(to) 1 where rjo and r\\ are efficiencies of the 
and 1 detectors. It has been shown in Ref. [2T]that in 
this case the attack causes 



In the special case of symmetric detector efficiency curves 

J7o(*i)/»7i(<i) = Ti(*o)/»?d(*o) = V and Eve adjusting the 
brightness of her faked states sent with to and t\ such 
that Bob's detection probability for both values of the 
control parameter remains equal, this simplifies to 



(QBER) = 



2q 



l + 3r? 



(2) 



(QBER) 



27 ?0 (t 1 )+ 27 7l (io) 



»7o(*o) + 3?7o(ii) + 3t7i(*o) + m(h) ' 



(1) 



The QBER value of 0.11 (commonly regarded as the 
threshold value for the BB84 protocol, after which no 
secret key could be extracted) would be reached at 77 ss 
1/15. 

The attack described above is not necessarily optimal. 
In Ref. [2T| we say that the BB84 protocol is secure pro- 
vided (QBER) < 0.1 177 and an extra amount of privacy 
amplification is applied. However, it has since been no- 
ticed that Eq. 11 in Ref. [2TJ on which this conclusion 
is based, is incorrect. It follows from Eq. 11 that if 
QBER is zero, Eve has no information. Qi and coworkers 
have pointed out that when Eve can affect Bob's detec- 
tor efficiencies, she gets partial information about the key 
from Bob's announcement of which qubits have actually 
arrived [22]. Thus the available bit rate after privacy 
amplification is reduced even in the case (QBER) = 0. 
This makes possible the so-called time-shift attack, in 
which Eve alters randomly the control parameter of the 
qubits without otherwise interacting with them |221 123] . 
A purely classical side-channel attack on a system where 
Bob measures and announces detection timing has also 
been proposed [24 . A more general theory, which is not 
yet available, would encompass the time-shift (or, more 
generally, parameter-shift) attacks into the equation for 
the available bit rate. 



III. SARG04 PROTOCOL 

The purpose of the SARG04 protocol [251 12^1 150] is 

to increase the maximum trasmission distance and key 
yield in schemes that use a weak coherent source; the 
protocol has improved characteristics against the photon 
number splitting attack, comparing to the BB84. Here 
we consider the version of the SARG04 that uses states 
physically equivalent to those used in the BB84 (Fig. [IJ , 
and differs from the latter only at the sifting stage. The 
bit values and 1 in the SARG04 are encoded by the 
choice of basis. Alice sends randomly one of the four 
states |0 o ), |0f,), |1 ) or Bob measures either in the 
or 1 detection basis, and uses two detectors labeled a 
and b. At the sifting stage, Alice announces publicly a 
set of two states that contains the actual state sent and 
a random state from the opposite basis. For definiteness, 
suppose that Alice has sent |0 a ) and that she has an- 
nounced the set {|0 a ), |1 Q )}. If Bob has measured in the 
basis, he has certainly got the result a ; but since this 
result is possible for both states in the set {|0 Q ), |l a )}, 
he has to discard it. If he has measured in the 1 basis 
and got l a , he again cannot discriminate. But if he has 
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FIG. 1: States configuration for the SARG04 protocol in the 
case when the states used are physically equivalent to those 
in the BB84 protocol. The circle represents the equator of 
the Poincare sphere. 



measured in the 1 basis and got l b , he knows that Alice 
has sent |0 a ), and adds to his key. 

Since this protocol uses the same states as the BB84, 
the faked states attack described in the previous section 
could be applied to it. In the case of the total efficiency 
mismatch, it obviously causes zero QBER. To calculate 
the QBER it causes in the case of the partial efficiency 
mismatch, we follow the approach of Ref.|2T]and consider 
all the possible basis and detector combinations during 
the attack. The different events are shown in Table U 
for the special case where Alice sends the |0 a ) state (the 
other three cases are symmetrical to this case). We dis- 
regard the probability of Eve's and Bob's detectors firing 
simultaneously due to the multiphoton fraction of the 
pulses, assume that Bob's detectors have no dark counts, 
assume that Eve's detectors and optical alignment are 
perfect, and that Eve generates faked states that match 
the optical alignment in Bob's setup perfectly. None of 
these assumptions is critical for the attack to work, but 
it is convenient to make them in order to simplify the 
calculation. 

Based on the probabilities in the table, we calculate 
the QBER caused by the attack. When Alice sends the 
|0 o ) state, the probability that the qubit arrives at Bob 
and is not discarded as an inconclusive detection result 
during sifting is 

P(arrive|A=0j=i[i»7 o (t o )+^ o (t 6 )+^»ft(t o )+^%(t 6 )]. 

(3) 

The probability of arrival averaged over Alice's four state 
choices is found by symmetrization of this equation, 
yielding 

P(arrive) = ^[r} a (t a ) + fyafa.) + 7r, b (t a ) + i] b (t b )}. (4) 
Similarly, we find the QBER, 



TABLE I: The intercept-resend attack on the SARG04 pro- 
tocol when Alice sends the |0 a ) state (as indicated in the first 
column; in the table, brackets around states are omitted for 
clarity). The second column contains the basis chosen by Eve 
and the measurement result; the third column shows the state 
and timing as resent by Eve. In the next columns Bob's basis 
choice and measurement results are given. For the case with 
the partial detector sensitivity mismatch, the probabilities for 
the different results are shown, given Eve's state and timing 
in addition to Bob's basis. In the last two columns, pairs of 
states announced by Alice during sifting (two possible pairs 
announced with equal probability of 1/2), and the sifting re- 
sults, are shown. Note that, for ease of discussion, the first 
two rows are repeated so that each row in the table occurs 
with probability 1/8. 
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(QBER)= ^'( error ) ^Vajtb) + ^Vb(tg) ^ j n fog special case of symmetric detector efficiency 

P(arrive) rj a (t a ) + 7n a (t b ) + 7n b (t a ) + i lb (t b ) ' curves , we get 

(5) 

where P(error) accounts for the cases when Bob keeps a it\t3t?-d\ ^ 

bit value different from what Alice has sent. ^ 1 + 7r]' 



4 



Security bounds and operating conditions for the 
SARG04 and BB84 protocols are different [3Q1 EH [32j 
1551 133]. The same value of optical misalignment (mea- 
sured by, e.g., fringe visibility in the interferometer) leads 
to different QBER for the two protocols. The optimal 
photon number in a weak-pulse implementation differs 
between the protocols, so detector dark counts will make 
a different contribution to the QBER as well [50] 133] , 
Therefore, a system using the same optical hardware 
and the same communication line will run at a differ- 
ent QBER level for each protocol. If we wanted to 
compare the QBER caused by our attack on these two 
protocols, it should be done in this context, which is 
not at all straightforward. We note, however, that in 
SARG04 our attack causes QBER lower than O.lf when 
r\ < 1/30, while in BB84 (see Eq. |2| the same happens 
when -q < 1/15. The effect of the described attack on 
these two protocols appears to be of the same order of 
magnitude. 

The faked states attack leads to reduced bit rate ac- 
cording to Eq. [4] Eve may compensate this by resending 
a brighter signal. Alternatively, she may place her mea- 
surement device close to Alice and her resend device close 
to Bob, getting rid of the channel loss. The attack may 
also lead to altered coincidence count rates at Bob. How- 
ever, with the help of timing and state parameters, Eve 
may have several degrees of freedom to compensate this 
as well. For example, by eliminating the channel loss 
and resending single photons, the coincidence detections 
may be eliminated. Furthermore, the ability to do pho- 
ton number measurement on Alice's pulses would allow 
Eve to completely remove her influence on coincidence 
counts [2T]. She could, for instance, only attack single- 
photon pulses, while passing multi-photon ones (those 
that cause coincidence counts) to Bob undisturbed, at the 
cost of not getting a small fraction of the key. How much 
Eve would have to do in practice depends, of course, on 
the actual checks Bob implements (or not implements, as 
may be the case) . 



IV. PHASE-TIME ENCODING AND DPSK 
PROTOCOL 

In a QKD system with the phase-time encoding 35j, 
Alice prepares one of the four states: \l), \s), \l) + \s) or 
| Z) — | , where \l) and \s) denote states that have travelled 
via the long and short arm of Alice's AMZ (Fig. [2]). Bob 
gates his detectors three times. The state |/) can cause 
a detection either in the SI or S2 time slot. The state 
|s) can cause a detection either in the S2 or S3 time slot. 
The states \l) + \s) and \l) — \s)} can cause a detection 
in any of the three time slots. The plus or minus sign 
determines which of the two detectors (DO or Dl) clicks 
when the detection happens in the S2 time slot where the 
pulses from the two arms of Bob's AMZ have interfered. 
Thus, pairs of states \s)} and {|^) + \s) ,\l) — \s)} form 
two bases. This system uses the BB84 protocol. (We 



note that the function of Bob's apparatus is similar to 
an earlier system that uses entangled photons in energy- 
time Bell states [55].) 

Faked states for this QKD system are listed in Table |n| 
Eve uses an apparatus that can form a single pulse (de- 
noted \ll)) in the time slot that follows the time slot of 
Alice's |Z) state, a single pulse (denoted \ss)) in the time 
slot that precedes the time slot of Alice's \s) state, or co- 
herent states consisting of four pulses with certain phase 
shifts between them and a certain value of the control 
parameter t (which can be timing as shown on the dia- 
grams, or some other parameter). The single pulse states 
are sent with the control parameter value ^normal that 
blinds neither detector. The coherent four pulse states 
are sent with the control parameter value to or t\ that 
blinds the detector Dl or DO. The faked states rely on the 
lack of detector gating in what would be Bob's time slots 
SO and S4, or on Bob discarding detection results with 
these times. Additionally, in the last two faked states, 
Eve blinds one of Bob's detectors by the choice of the 
control parameter. 

In a QKD system with the DPSK protocol [5], Al- 
ice randomly modulates the phase of a weak coherent 
pulse train by {0, 7r} for each pulse, and sends it to Bob 
with an average photon number of less than 1 per pulse 
(Fig. [3]). Bob measures the phase difference between ad- 
jacent pulses with a 1-bit delay interferometer followed by 
two detectors placed at the interferometer output ports. 
Detector DO clicks when the phase difference is and 
detector Dl clicks when the phase difference is 7r. Since 
the average photon number per pulse is less than 1, Bob 
observes clicks only occasionally and in a random time 
slot. Bob informs Alice of the time slots in which he has 
observed clicks. From her modulation data Alice knows 
which detector has clicked on Bob's side, so they share 
an identical bit string. 

Faked states for this QKD system are constructed sim- 
ilarly to the previous one (Fig. [4]). In the case of the 
DPSK, Eve can run two generators of faked states in 
parallel, so that states with the values of the control pa- 
rameter to and t\ may overlap. When Eve has had iden- 
tical detection results in two adjacent bit slots, she can 
use a single-pulse faked state. In all other cases she gen- 
erates longer faked states that encompass two or more 
detection results with the same bit value. In these faked 
states, Bob's other detector is blocked by the choice of 
the control parameter, and unwanted bit slots are blocked 
by destructive interference. In the limit, Eve may just 
generate two continuous trains of pulses with the control 
parameters to and t±, and modulate the phase of pulses 
in each train to produce the detections she wants at Bob. 

In the system in Ref. |8j Bob actually uses non-gated 
detectors, registers timing of all counts, and then se- 
lects timing ranges in software (this procedure is roughly 
equivalent to detector gating). In this system, Bob could 
easily implement monitoring of count statistics in the 
time domain, thus preventing Eve from using timing as 
a control parameter. However, we remind the reader 
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FIG. 2: Scheme of a QKD system utilizing the phase-time encoding [35] . SMZ, symmetric Mach-Zehnder interferometer; AMZ, 
asymmetric Mach-Zehnder interferometer; PM, phase modulator; Att., optical attenuator; DO and Dl, single photon detectors. 
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FIG. 3: Scheme of a QKD system utilizing the DPSK protocol [8]. IM, intensity modulator; PM, phase modulator; Att., optical 
attenuator; DO and Dl, single photon detectors. 
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FIG. 4: Time diagram of a QKD system utilizing the DPSK ptotocol, and faked states for it. The three uppermost waveforms 
represent the intensity of light during normal system operation; the phase if of each Alice's pulse is noted. The rest of the 
diagram shows examples of possible faked states. For the compactness of illustration, Alice's average photon number per pulse 
is increased greatly, which gives Eve more frequent detections than would be possible in a real system. The arrows indicate 
how every pulse coming to Bob is split into the two arms of his interferometer. 
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TABLE II: Faked states for a QKD system utilizing the phase- 
time encoding. Each faked state is illustrated by a time dia- 
gram. The arrows indicate how every pulse coming to Bob is 
split into the two arms of his interferometer. The waveform 
for the intensity of light at Bob's detector that is blinded by 
Eve's choice of the control parameter t is printed in gray. 
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that control parameters other than time can be used 
by Eve. In this particular system, up-conversion detec- 
tors in Bob's setup employ narrow spectral filtering |26j . 
Eve could try to control wavelength of incoming pulses 



in addition to or instead of their timing. 

The part of Eve's setup that generates faked states for 
both systems considered in this section may be similar 
to Alice's setup in Fig. [3J In the case of the DPSK, two 
such setups could possibly be used, with their outputs 
combined on an optical coupler. 

In the first of the two systems considered in this sec- 
tion, the system with the phase-time encoding, Bob 
would normally observe some coincidence counts at his 
detectors. To keep his coincidence rates the same as be- 
fore the attack, Eve could occasionally simulate a coinci- 
dence count. She can do this by sending to Bob a faked 
state or several faked states that simultaneously address 
different detectors and/or bit slots. She could also con- 
trol the photon number statistics of her faked states and 
employ the photon number measurement as described in 
the end of Sec.lTlTl 

Although we do not calculate it here, the faked states 
presented in this section would obviously work in the 
case of the partial efficiency mismatch, causing the more 
QBER the smaller the mismatch becomes. We note that 
schemes utilizing the DPSK protocol with limited-length 
states [37J EE] can also be attacked using the methods 
considered in this section. 



V. EKERT PROTOCOL 

The Ekert protocol [3j5] uses an external source of en- 
tangled pairs of photons in a singlet state, from which 
one photon is routed to Alice and the other to Bob. Alice 
and Bob perform measurements on their photons in one 
of the possible bases (Fig.[5|, choosing between the bases 
randomly and independently of one another for each pair 
of incoming photons. After a series of measurements has 
taken place, the choices of bases are publicly announced. 
For those pairs where Alice and Bob both have registered 
a count in their detectors, quantum mechanics guaran- 
tees certain degree of correlation between the measure- 
ment results, depending on the combination of the bases 
chosen. The quantity 



S(aj,bj) = P ++ (a 4 ,bj) +P__(a l ,b i ) 
-P + _(a i ,b i ) - P_ + (a 4 ,bj) 



(7) 



is the correlation coefficient of the measurements per- 
formed by Alice in the a^ basis and by Bob in the bj basis. 
Here P±±(aj,bj) denotes the probability that the result 
±1 has been obtained in the &i basis and ±1 in the bj 
basis. For two identical pairs of bases (a2,bi and a3,b2) 
the measurement results are totally anticorrelated: 



£(a 2 ,bi) = £(a 3 ,b 2 ) - -1. 



(8) 



These measurement results are used in the protocol to 
form a secret key. Four other basis combinations are 
used to check for possible eavesdropping via computing 
the Clauser-Horne-Shimony-Holt quantity 

S = £(ai, bi) - £(ai, b 3 ) + £(a 3 , bi) + £(a 3 , b 3 ), (9) 



7 



Bob Alice 




FIG. 5: Possible measurements by Alice and Bob in the Ekert 
protocol. The circles represent the equator of the Poincare 
sphere. Measurement bases are denoted by letters with in- 
dices; each measurement can yield +1 or —1 result as labeled 
on the diagram. EPR, source of entangled photon pairs. 



which in the absence of eavesdropping should be equal to 
-2V2. 

If the pairs of detectors on both Alice's and Bob's sides 
have a total efficiency mismatch, Eve can successfully 
mount a faked states attack that provides S — —2>/2. 
She substitutes the source of entangled photons with one 
that generates, with certain probabilities, pairs of faked 
states listed below. We have assumed that, at Alice and 
at Bob, one detector is used to get the +1 measurement 
result in all three bases, and the other to get the —1 re- 
sult. We have also assumed that Alice and Bob normal- 
ize detection probabilities separately for each combina- 
tion of a,i and bj before computing E{&i,hj) correlation 
coefficients. Let's consider, step by step, how Eve can 
construct the faked states under these assumptions. 

The simplest set of faked states necessary for the attack 
to work consists of two pairs of states; however, to make 
the +1 and —1 measurements on each side equiprobable, 
we'll be considering symmetric combinations consisting 
of two pairs of faked states each. The first combina- 
tion named a will be detected with a uniform proba- 
bility and always produce total anticorrelation regard- 
less of Alice's and Bob's choice of basis. It can, for 
example, consist of a pair of states conjugate to every 
other state used in the protocol and sent to Alice and 
Bob with opposite values of the control parameter i +1 
and t_i, which blind the —1 and +1 detectors. When 
linear polarizations are used in the protocol, Eve can 
randomly send to Alice and Bob either a pair of cir- 
cular polarizations [(circular) t+1 , (circular) t _ 1 ] or a pair 
[ (circular) t _ 1 , (circular)t + J. If Eve only generated the 
combination a and nothing else, it would result in 

S = -1 - (-1) - 1 - 1 = -2. (10) 

To reach the desired value of S = —2^/2, we'll now target 
the second term in the equation for S. We devise a com- 
bination named /3 that only contributes to the -E(ai,ba) 
correlation coefficient but not to the other three corre- 
lation coefficients in the equation for S. In this combi- 
nation, Eve sends cither a pair [(|— a3)) f+1 , (|— bi))t +1 ] or 
a pair [( |a 3 )) t _ 1 , (|bi)) t _J. It produces total correlation 
for the pair of bases ai , b3 , as well as for three other pairs 



of bases (ai,b2; a2,b2; a2,b 3 ) which are not used in the 
protocol. In the remaining five possible pairs of bases, 
the combination (3 causes no coincident detections. If 
the combinations a and (3 are generated by Eve with 
probabilities P a — 0.586, Pp = 0.414, it results in 

S = -1 - (-0.172) - 1 - 1 = -2V2. 1 (11) 

Although we have reached the desired value of the quan- 
tity S, the terms in the equation for S have unequal 
absolute values, which can be noticed by Alice and Bob. 
The absolute values of the terms can be made equal, just 
as they are in the absence of the attack, if we add a 
third combination. The third combination named 7 con- 
tributes to all four correlation coefficients in the equa- 
tion for S. In this combination, Eve sends either a pair 
[(|-a 2 ))t +1 ,(|-b 2 ))t +1 ] or a pair [(|a 2 ))t_ 1 , (|b 2 ))t_J. It 
produces total correlation for the four pairs of bases 
used in computing S. It is easy to check that when 
the combinations are generated by Eve with probabili- 
ties P a = 0.116, P p = 0.653, P-y = 0.231, it results in 

S = -0.707 - (+0.707) - 0.707 - 0.707 = -2a/2. (12) 

Note that of the three combinations a, f3, 7, only a 
causes coincident detections in the pairs of bases a2,bi 
and a3,b 2 used to form the secret key. Detection results 
in these two pairs of bases are thus totally anticorrclatcd 
and the key is error-free. 

Although our attack reproduces the expected value of 
S, it has side effects. Detection probabilities for differ- 
ent combinations of bases become substantially unequal, 
and the three unused correlation coefficients are not re- 
produced properly. Thus, the attack relies on the absence 
of additional consistency checks on the data by the legit- 
imate users. We have not been able to come up with a 
set of faked states that does not produce any side effects. 
Also, the attack relies on the source of entangled photons 
being outside of Alice and Bob. If the source is placed in- 
side one of their setups and only one of the two photons is 
accessible to Eve, it seems to us that with protocols that 
use more than two bases (the Ekert protocol and the six- 
state protocol [40j|41j|42]), a zero-QBER attack using the 
approach described in this section cannot be constructed. 
However, the six-state protocol implemented on a setup 
that uses an external source of entangled photons could 
be successfully attacked using a faked pair source similar 
to the one described in this section. 



1 We make two remarks. Firstly, under the assumptions made, 
Eve could reach "unphysical" values of S beyond — 2v / 2 and al- 
most up to —4 by increasing the weight Pp in her statistical mix. 
Secondly, now that we know how the states in the combination 
/3 look like, we can simplify Eve's apparatus by forming the com- 
bination oc of the same states. In the combination a, Eve can 
replace a circular polarization with a statistical mixture of two 
states from a single basis used in the protocol. In particular, she 
can send either a pair [(|a3) or |— a3))t +1 , (|bi) or | — bi))t_ 1 ] or 
a pair [(|a 3 > or |-a 3 )) t _ 1 , (|bi> or |-bi)) t+1 ]. 
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VI. COUNTERMEASURES 

The partial detector efficiency mismatch is a flaw that 
is in principle unavoidable. Even if special care is taken 
to make detectors identical and eliminate possible con- 
trol parameters, finite manufacturing precision will al- 
ways leave possibility for Eve to control detector efficien- 
cies to some extent. We therefore believe that the best 
approach to close this loophole is the following. Through- 
out the design, manufacture and quality assurance of the 
detectors and QKD system, the worst-case efficiency mis- 
match should be specified. It is possible that special mea- 
sures would have to be taken to reduce the guaranteed 
value of mismatch (for example, in gated detectors it can 
be introduction of a random jitter into the detector gat- 
ing signal). Then, the worst-case value of efficiency mis- 
match should be accounted in the general security proof 
for the protocol used, and the amount of privacy ampli- 
fication if necessary be increased to guarantee security 
of the key. For the BB84 protocol, some quantitative 
estimates for the extra privacy amplification exist (see 
Sec. [IT]); for other protocols, they are not yet known. 

Monitoring the bit rates and coincidence statistics for 
different bit-basis combinations is useful as a general pre- 
caution. It is good because it can make Eve's life more 
difficult, as well as monitor the health of the hardware 
better. However, as we have discussed, Eve might have 
ways to maintain the bit rate and coincidence statistics 
unchanged, so this measure does not guarantee security. 

A countermeasure has recently been proposed in which 
Bob randomly switches assignment of his detectors to 
and 1 bit values by applying an additional tt shift at his 
phase modulator [25]. For example, in the BB84 pro- 
tocol Bob would randomly apply one of the four phase 
shifts (— ^r, — f , f , ^r) at his modulator to choose a 
combination of detection basis and detector assignment, 
instead of two phase shifts (— f , ?) to choose the de- 



tection basis. This countermeasure would prevent the 
straightforward faked states attack, because Eve would 
not know how to construct the faked state without know- 
ing the assignment of detectors in advance. However, Eve 
could run a time-shift type attack [221 125] in combina- 
tion with the large-pulse attack against Bob that reads 
his phase modulator settings [19] . In the time-shift at- 
tack, Eve only needs to know the assignment of detectors 
after she has manipulated quantum states. It is in prac- 
tice difficult to protect Bob's modulator from external 
interrogation, because any additional protective optical 
components at Bob's input would introduce unwanted at- 
tenuation to quantum states. Thus, this countermeasure 
does not seem to be sufficient. 

The cases of efficiency mismatch considered in this pa- 
per are necessarily idealized. There are many modifica- 
tions to the setups that would break the described at- 
tacks, e.g., using a slightly wider gate for one detector 
than for the other, or having four detectors in the setup 
instead of two. However, such modifications do not elim- 
inate efficiency mismatch per se, and the problem that 
Eve might still exploit it (even if it is a one-sided mis- 
match) using a more sophisticated attack remains. 

VII. CONCLUSION 

We have shown that detector efficiency mismatch can 
be exploited to attack the SARG04 and Ekert protocols, 
as well as schemes that use the phase-time encoding and 
the DPSK protocol. The faked states attacks considered 
here might not be the optimal ones; however, they cer- 
tainly set upper bounds on the secret information. We 
emphasize the necessity of characterizing the detector 
setup thoroughly and establishing security proofs with 
partial detector efficiency mismatch integrated into the 
equipment model. 
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